Lojack Becomes a Double-Agent

Executive Summary

ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains. The InfoSec community and the U.S. government have both attributed Fancy Bear activity to Russian espionage activity. Fancy Bear actors typically choose geopolitical targets, such as governments and international organizations. They also target industries that do business with such organizations, such as defense contractors. Lojack, formally known as Computrace, is a legitimate laptop recovery solution used by a number of companies to protect their assets should they be stolen. Lojack makes an excellent double-agent due to appearing as legit software while natively allowing remote code execution. Although the initial intrusion vector for this activity remains unknown, Fancy Bear often utilizes phishing email to deliver payloads.

NOTE: Arbor APS enterprise security products detect and block on all activity noted in this report.

The distribution mechanism for the malicious Lojack samples remains unknown. However, Fancy Bear commonly uses phishing to deliver malware payloads as seen with Sedupload in late 2017.

UPDATE

May 3, 2018 – After the disclosure of the malicious Lojack binaries, many Anti-Virus vendors have been quick to respond in properly marking samples as “malware” and “DoubleAgent”, rather than “Riskware” or “unsafe” (Figure 2).

May 4th 2018 – UPDATE FROM ABSOLUTE SOFTWARE:

“The analysis of the samples provided by Arbor shows all were based on an illicitly modified old version of the LoJack agent from 2008 and no customers or partners have been impacted. For customers who wish to confirm no legacy agents are present in their environment, we have published an advisory with steps to verify all installed agents are legitimate copies of the LoJack product. Additional details are provided at https://www.absolute.com/en/resources/faq/absolute-response-to-arbor-lojack-research.”

May 9th 2018 – Disclaimer:

Prior reports have misidentified LoJack instead of Absolute LoJack for Laptops, also known as Computrace. LoJack for Laptops and Computrace are products of Absolute, not LoJack or CalAmp.

Lojack Summary

Absolute Software, the creator of Lojack, says on its website (https://www.absolutelojack.com/) that the agent can locate and lock a device remotely. Additionally, it can delete files, making it an effective laptop theft recovery and data wiping platform. Lojack can survive hard drive replacements and operating system (OS) re-imaging. The agent achieves this persistence through a modular design as noted by Vitaliy Kamlyuk, Sergey Belov, and Anibal Sacco in a presentation at Blackhat, 2014 (Figure 1):

The aforementioned researchers suggest the binary modification of the “small agent” is trivial. The Lojack agent protects the hardcoded C2 URL using a single byte XOR key; however, according to researchers it blindly trusts the configuration content. Once an attacker properly modifies this value then the double-agent is ready to go. This is not the only aspect that makes Lojack an appealing target. Attackers are also concerned about AV detection. Looking on VirusTotal, some anti-virus vendors flag Lojack executables as ”unsafe”, but as noted as of May 3, many AV now flag the binaries as malware and DoubleAgent (Figure 2).

Figure 2: Virustotal AV Report of cf45ec807321d12f8df35fa434591460

Originally, the low AV detection, allowed the attacker to hide in plain sight, an effective double-agent. The attacker simply needs to stand up a rogue C2 server that simulates the Lojack communication protocols. Finally, Lojack’s “small agent” allows for memory reads and writes which grant it remote backdoor functionality when coupled with a rogue C2 server.

Lojack Double-Agent

ASERT has identified five Lojack agents (rpcnetp.exe) pointing to 4 different suspected domains. Fancy Bear has been tied to three of the domains in the past.

Hash

Compilation Time

Size in Bytes

Rogue C2 Servers

AV Detection on VT

f1df1a795eb784f7bfc3ba9a7e3b00ac

2008-04-01 19:35:07

17,408

sysanalyticweb[.]com

2/67

6eaa1ff5f33df3169c209f98cc5012d0

2008-04-01 19:35:07

17,408

sysanalyticweb[.]com

4/66

f3c6e16f0dd2b0e55a7dad365c3877d4

2008-04-01 19:35:07

17,408

elaxo[.]org

3/62

cf45ec807321d12f8df35fa434591460

2008-04-01 19:35:07

17,408

ikmtrust[.]com

2/64

f391556d9f89499fa8ee757cb3472710

2008-04-01 19:35:07

17,408

lxwo[.]org

9/65

Table 1: Lojack Double-Agents on VirusTotal

Binary Comparisons

ASERT believes all these binaries are rpcnetp.exe (small agent) due to the following characteristics:

After confirming the stage of the Lojack agent, binary comparison analysis confirmed that they were legitimate Lojack samples. The comparison also highlighted that the attacker did not graft additional functionality into the binary. ASERT used the presence of search.namequery[.]com in the binary and the yara rule to identify legitimate Lojack samples. Lojack’s Absolute Software Corp. owns search.namequery[.]com; we have no evidence the legitimate site has been used for nefarious purposes.

NOTE: All samples, both rogue and the two “clean” samples (below), matched 100% based on Diaphora’s function matching algorithm.

“Clean” Samples:

e78e3b0171b189074d2539c7baaa0719

ac1a85d3ca1b6265cad4ed41b696f9b7

Only the presence of the rogue C2’s make the samples in Table1 malicious. The attackers are merely hijacking the communication used by Lojack, thereby granting themselves backdoor access to machines running the software.

Fancy Bear Attribution

ASERT assesses with moderate confidence that the rogue Lojack agents are attributed to Fancy Bear based on shared infrastructure with previous operations. The following domains, extracted from the rogue Lojack agents trace back to Fancy Bear operations:

elaxo[.]org

ikmtrust[.]com

lxwo[.]org

sysanalyticweb[.]com (Figure 3 & Figure 4)

Researchers from Jigsaw Security, based on leads from Talos in late 2017, traced the domains elaxo[.]org and ikmtrust[.]com and the tool Sedupload, to a Fancy Bear operation. The domain lxwo[.]org appeared in a blog post from Threat Intel Recon that resolved to an IP address within a document attributed to Fancy Bear. The rogue Lojack samples containing the sysanalyticweb[.]com domains were only recently spotted in the wild (April 2018).

Despite the hijack of this software being a publicly known tactic, there are many similarities in the binary comparisons (above) and infrastructure analysis (below) that increase the probability it is the same actor(s):

All the listed domains are associated with the same Lojack agent utilizing the same compile time.

The domains in question all contain nonsensical Registrant information where the actor tends to copy/paste the same information in multiple fields.

Each domain includes a Registrant Name (often a nonsensical word), but additionally includes a similar word in the Registrant Organization field.

This is interesting because that is a field that is often skipped when a Registrant Name is present, but this actor(s) regularly utilizes both fields

Figure 3. XORed C2 Server – NETSCOUT

Figure 4. Live (April 2018) C2 – NETSCOUT

Conclusion & Recommendations

Hijacking legitimate software is a common enough tactic for malicious actors. A key factor making this activity so devious is the malicious Lojack samples were simply labeled “unsafe”, “suspicious”, or “DangerousObject”, rather than malware. As a result, rogue Lojack samples could fly under the radar and give attackers a stealthy backdoor into victim systems.

ASERT recommends scanning for rogue Lojack agents using the Yara signature listed in the Appendix (below) and blocking the domains contained within this blog.

Subscribe to this blog

First Name*

Last Name*

Company*

Email*

Phone

This field is for validation purposes and should be left unchanged.

Asert

Arbor’s Security Engineering & Response Team (ASERT) delivers world-class network security research and analysis for the benefit of today’s enterprise and network operators. ASERT engineers and researchers are part of an elite group of institutions that are referred to as ‘super remediators’ and represent the best in information security. ASERT has both visibility and remediation capabilities at nearly every tier one operator and a majority of service provider networks globally.

ASERT shares operationally viable intelligence with hundreds of international Computer Emergency Response Teams (CERTs) and with thousands of network operators via in-band security content feeds. ASERT also operates the world’s largest distributed honeynet, actively monitoring Internet threats around the clock and around the globe.

Arbor Networks has collaborated with Jigsaw (formerly Google Ideas) to create a data visualization that shows how Distributed Denial of Service (DDoS) attacks have become a global problem. The data is updated daily from Arbor’s global network of sensors and can be viewed at www.digitalattackmap.com